<pre class='metadata'>
Title: Permissions
Repository: w3c/permissions
Status: ED
ED: https://w3c.github.io/permissions/
TR: https://www.w3.org/TR/permissions/
Shortname: permissions
Level: none
Group: webappsec
Editor: Mounir Lamouri, w3cid 45389, Google Inc. https://google.com/
Editor: Marcos Cáceres, w3cid 39125, Mozilla https://mozilla.com/
Editor: Jeffrey Yasskin, w3cid 72192, Google Inc. https://google.com/
Previous Version: https://www.w3.org/TR/2015/WD-permissions-20150407/

Abstract: The <cite>Permissions Standard</cite> defines common infrastructure for other specifications that need to interact with browser permissions. It also defines an API to allow web applications to query and request changes to the status of a given permission.
Mailing List: public-webappsec@w3.org
Mailing List Archives: http://lists.w3.org/Archives/Public/public-webappsec/

!Participate: <a href="https://github.com/w3c/permissions">We are on Github.</a>
!Participate: <a href="https://github.com/w3c/permissions/issues">File a bug.</a>
!Participate: <a href="https://github.com/w3c/permissions/commits/gh-pages">Commit history.</a>
!Implementation status: <a href="https://code.google.com/p/chromium/issues/detail?id=437770">Blink/Chromium</a>
!Implementation status: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1105827">Gecko</a>

Markup Shorthands: css no, markdown yes
</pre>
<pre class="anchors">
spec: ECMAScript; urlPrefix: https://tc39.github.io/ecma262/#
    type: dfn
        text: Realm; url: sec-code-realms
        text: current realm; url: current-realm
    type: interface
        text: TypeError; url: sec-native-error-types-used-in-this-standard-typeerror
spec: mediacapture-main; urlPrefix: https://w3c.github.io/mediacapture-main/#
    type: attribute
        for: MediaDeviceInfo; text: deviceId
    type: method
        for: MediaDevices; text: getUserMedia(); url: dom-mediadevices-getusermedia
    type: event
        for: MediaDevices; text: devicechange
spec: sensors; urlPrefix: https://w3c.github.io/sensors/#
    type: dfn
        text: generic sensor permission revocation algorithm; url: generic-sensor-permission-revocation-algorithm
spec: manifest; urlPrefix: https://w3c.github.io/manifest/#
    type: dfn
        text: install; url: dfn-install
spec: webdriver; urlPrefix: https://w3c.github.io/webdriver/webdriver-spec.html#
    type: dfn
        text: current browsing context; url: dfn-current-browsing-context
        text: WebDriver error; url: dfn-error
        text: WebDriver error code; url: dfn-error-code
        text: extension command; url: dfn-extension-commands
        text: extension command URI template; url: dfn-extension-command-uri-template
        text: invalid argument; url: dfn-invalid-argument
        text: local end; url: dfn-local-end
        text: remote end steps; url: dfn-remote-end-steps
        text: session; url: dfn-session
        text: success; url: dfn-success
</pre>
<pre class="link-defaults">
spec: dom
    type: interface
        text: Document
spec: html
    type: dfn
        text: event handler
        text: event handler event type
        text: in parallel
        text: origin; for: /
        text: queue a task
spec: storage
    type: enum-value
        for: PermissionName; text: "persistent-storage"
spec: infra
    type: dfn
        text: list
        for: list; text: append
spec: ui-events
    type: dfn
        text: user agent
spec: web-bluetooth
    type: enum-value
        for: PermissionName; text: "bluetooth"
spec: webidl
    type: interface
        text: Promise
</pre>

<section class='non-normative'>
  <h2 id="scope-of-this-document">
    Scope of this document
  </h2>
  <p><em>This section is non-normative.</em></p>
  <p>
    This document specifies a model for permissions to use powerful features on
    the Web platform and an API to query the current permission state of those
    features.
  </p>
  <p>
    Current Web APIs have different ways to deal with permissions. For example,
    the [[notifications]] API allows developers to request a permission and
    check the permission status explicitly. Others expose the status to web
    pages when they try to use the API, like the [[geolocation-API]] which fails
    if the permission was not granted without allowing the developer to check
    beforehand.
  </p>
  <p>
    The {{Permissions/query()}} function provides a tool for developers to
    control when permission prompts are shown.
  </p>
  <p>
    The solution described in this document is meant to be extensible, but isn't
    expected to be applicable to all the current and future permissions
    available in the web platform. Working Groups that are creating
    specifications whose permission model doesn't fit in the model described in
    this document should contact the editors by
    <a href="https://github.com/w3c/permissions/issues">filing an issue</a>.
  </p>
</section>
<section class='non-normative'>
  <h2 id="privacy-considerations">
    Privacy considerations
  </h2>
  <p><em>This section is non-normative.</em></p>
  <p>
    An adversary could use a <a>permission state</a> as an element in creating a
    "fingerprint" corresponding to an end-user. Although an adversary can
    already determine the state of a permission by actually using the API, that
    often leads to a permission request UI being presented to the end-user (if
    the permission was not already {{"granted"}}). Thus, even though this API
    doesn't expose new fingerprinting information to websites, it makes it
    easier for an adversary to have discreet access to this information. Thus,
    implementations are encouraged to have an option for users to block
    (globally or selectively) the querying of <a>permission states</a>.
  </p>
</section>
<section>
  <h2 id="definitions">Definitions</h2>

  <dl>
    <dt><dfn export>New information about the user's intent</dfn></dt>
    <dd>
      The UA may collect information about a user's intentions in any way its
      authors believe is appropriate. This information can come from explicit
      user action, aggregate behavior of both the relevant user and other users,
      or <a>implicit signals</a> this specification hasn't anticipated.
      <div class="note">
        The <dfn>implicit signals</dfn> could be, for example, the
        <a>install</a> status of a web application or frequency and recency of
        visits. A user that has installed a web application and used it
        frequently and recently is more likely to trust it. Implementations are
        advised to exercise caution when relying on implicit signals.
      </div>
    </dd>

    <dt><dfn export local-lt="feature">Powerful feature</dfn></dt>
    <dd>
      A feature of a UA that some code might not be allowed to access, for
      example because its <a>environment settings object</a> doesn't satisfy
      some criteria, or because the user hasn't given permission.
    </dd>
  </dl>
</section>
<section>
  <h2 id="permission-descriptor">
    Descriptions of permission requests
  </h2>
  <pre class='idl' title=''>
    dictionary PermissionDescriptor {
      required PermissionName name;
    };
  </pre>
  <p>
    Each <a>powerful feature</a> has one or more <dfn>aspects</dfn> that
    websites can request permission to access. To describe these aspects,
    each feature defines a subtype of {{PermissionDescriptor}} to be its
    <a>permission descriptor type</a>.
  </p>
  <div class="example" id="example-descriptors">
    <p>
      The {{"midi"}} <a>feature</a> has two <a>aspects</a>: access to normal messages, and
      access to system exclusive messages. Thus, its <a>permission descriptor type</a>
      is:
    </p>
    <pre>
      dictionary MidiPermissionDescriptor : PermissionDescriptor {
        boolean sysex = false;
      };
    </pre>
    <p>
      The {{"bluetooth"}} feature lets sites request to access whatever
      Bluetooth devices are close to to the user's device. Thus, its
      <a>permission descriptor type</a> is:
    </p>
    <pre>
      dictionary BluetoothPermissionDescriptor : PermissionDescriptor {
        DOMString deviceId;
        sequence&lt;<a idl>BluetoothLEScanFilterInit</a>> filters;
        sequence&lt;<a idl>BluetoothServiceUUID</a>> optionalServices = [];
        boolean acceptAllDevices = false;
      };
    </pre>
    <p>
      General access to Bluetooth devices is represented by `{name:
      'bluetooth'}`; access to a particular device is represented by `{name:
      'bluetooth', deviceId: "id"}`; and access to a device with a particular
      service is represented by `{name: 'bluetooth', filters: [{services:
      ['service']}]}`
    </p>
  </div>
</section>
<section>
  <h2 id="permission-operations">Permission states</h2>
  <p>
    The user agent is responsible for tracking what <a>powerful features</a>
    each <a>realm</a> has the user's permission to use. Other specifications can
    use the operations defined in this section to retrieve the UA's notion of
    what permissions are granted or denied, and to ask the user to grant or deny
    more permissions.
  </p>

  <p>
    Other specifications can also add more constraints on the UA's behavior in
    these algorithms.
  </p>

  <p>
    Within this section, |descriptor| is an instance of the <a>permission
    descriptor type</a> of the <a>powerful feature</a> named by
    <code>|descriptor|.{{PermissionDescriptor/name}}</code>.
  </p>

  <section>
    <h3 id="reading-current-states">Reading the current permission state</h3>
    <div algorithm>
      <p>
        A |descriptor|'s <dfn export local-lt="state">permission state</dfn> for
        an optional <a>environment settings object</a> |settings| is
        the result of the following algorithm, which returns one of
        {{"granted"}}, {{"prompt"}}, or {{"denied"}}:
      </p>
      <ol class="algorithm">
        <li>
          If |settings| wasn't passed, set it to the <a>current settings object</a>.
        </li>
        <li>
          If |settings| is a <a>non-secure context</a>
          and <code>|descriptor|.{{PermissionDescriptor/name}}</code> isn't
          <a>allowed in non-secure contexts</a>, then return {{"denied"}}.
        </li>
        <li>
          If there exists a [=policy-controlled feature=] identified by
          <code>|descriptor|.{{PermissionDescriptor/name}}</code> and |settings| has an
          <a>associated `Document`</a> named <var>document</var>, run the following step:
          <ol class="algorithm">
            <li>
              If <var>document</var> is not <a>allowed to use</a> the feature
              identified by <code>|descriptor|.{{PermissionDescriptor/name}}</code>
              return {{"denied"}}.
            </li>
          </ol>
        </li>
        <li>
          If there was a previous invocation of this algorithm with the same
          |descriptor| and |settings|, returning
          |previousResult|, and the UA has not received <a>new information about
          the user's intent</a> since that invocation, return |previousResult|.
        </li>
        <li>
          Return whichever of the following options most accurately reflects the user's
          intent for the calling algorithm, taking into account any
          <a>permission state constraints</a> for
          <code>|descriptor|.{{PermissionDescriptor/name}}</code>:
          <dl class="switch">
            <dt>succeed without prompting the user</dt>
            <dd>{{"granted"}}</dd>

            <dt>show the user a prompt to decide whether to succeed</dt>
            <dd>{{"prompt"}}</dd>

            <dt>fail without prompting the user</dt>
            <dd>{{"denied"}}</dd>
          </dl>
        </li>
      </ol>

      <p class="issue" id="issue-current-entry-incumbent-or-relevant">
        Safari is the only known UA that returns different results from this
        algorithm for different settings objects with the same origin. We should
        test which of the <a
        href="https://html.spec.whatwg.org/multipage/webappapis.html#realms-settings-objects-global-objects">several
        possible settings objects</a> it uses.
      </p>

      <p>
        As a shorthand, a {{PermissionName}} |name|'s <a>permission state</a> is
        the <a>permission state</a> of a {{PermissionDescriptor}} with its
        {{PermissionDescriptor/name}} member set to |name|.
      </p>
    </div>

    <div algorithm>
      <p>
        Some <a>powerful features</a> have more information associated with them
        than just a {{PermissionState}}. For example,
        {{MediaDevices/getUserMedia()}} needs to determine <em>which</em> cameras
        the user has granted the <a>current realm</a> permission to access. Each
        of these features defines an <a>extra permission data type</a>. If a
        {{PermissionName}} |name| names one of these features, then |name|'s
        <dfn export>extra permission data</dfn> for an optional <a>environment
        settings object</a> |settings| is the result of the following algorithm:
      </p>
      <ol class="algorithm">
        <li>
          If |settings| wasn't passed, set it to the <a>current settings object</a>.
        </li>
        <li>
          If there was a previous invocation of this algorithm with the same
          |name| and |settings|, returning
          |previousResult|, and the UA has not received <a>new information about
          the user's intent</a> since that invocation, return |previousResult|.
        </li>
        <li>
          Return the instance of |name|'s <a>extra permission data type</a> that
          matches the UA's impression of the user's intent, taking into account
          any <a>extra permission data constraints</a> for |name|.
        </li>
      </ol>
    </div>
  </section>
  <section>
    <h3 id="requesting-more-permission">Requesting more permission</h3>

    <p class="note">
      Spec authors, please note that algorithms in this section can wait for
      user input; so they shouldn't be used from other algorithms running on
      the main thread.
    </p>

    <div algorithm="request-permission-to-use">
      <p>
        To <dfn lt="request permission to use|requesting permission to use"
                export>request permission to use</dfn> a |descriptor|, the UA
        must perform the following steps. This algorithm returns either
        {{"granted"}} or {{"denied"}}.
      </p>
      <ol>
        <li>
          Let <var>current state</var> be the |descriptor|'s <a>permission
          state</a>.
        </li>
        <li>
          If <var>current state</var> is not {{"prompt"}}, return
          <var>current state</var> and abort these steps.
        </li>
        <li>
          Ask the user's permission for the calling algorithm to use the
          <a>powerful feature</a> described by |descriptor|.
        </li>
        <li>
          If the user grants permission, return {{"granted"}}; otherwise return
          {{"denied"}}. The user's interaction may provide <a>new information
          about the user's intent</a> for this <a>realm</a> and other
          <a>realms</a> with the <a>same origin</a>.

          <p class="note">
            This is intentionally vague about the details of the permission UI
            and how the UA infers user intent. UAs should be able to explore
            lots of UI within this framework.
          </p>
        </li>
      </ol>

      <p>
        As a shorthand, <a>requesting permission to use</a> a {{PermissionName}}
        |name|, is the same as <a>requesting permission to use</a> a
        {{PermissionDescriptor}} with its {{PermissionDescriptor/name}} member
        set to |name|.
      </p>
    </div>

    <div algorithm="prompt-user-to-choose">
      <p>
        To <dfn lt="prompt the user to choose|prompting the user to choose"
                export>prompt the user to choose</dfn> one of several |options|
        associated with a |descriptor|, the UA must perform the following steps.
        This algorithm returns either {{"denied"}} or one of the options.
      </p>
      <ol>
        <li>
          If |descriptor|'s <a>permission state</a> is {{"denied"}},
          return {{"denied"}} and abort these steps.
        </li>
        <li>
          If |descriptor|'s <a>permission state</a> is {{"granted"}}, the UA may
          return one of |options| and abort these steps. If the UA returns
          without prompting, then subsequent <a lt="prompt the user to
          choose">prompts for the user to choose</a> from the same set of
          options with the same |descriptor| must return the same option, unless
          the UA receives <a>new information about the user's intent</a>.
        </li>
        <li>
          Ask the user to choose one of the options or deny permission, and wait
          for them to choose. If the calling algorithm specified extra
          information to include in the prompt, include it.
        </li>
        <li>
          If the user chose an option, return it; otherwise return {{"denied"}}.
          If the user's interaction indicates they intend this choice to apply
          to other realms, then treat this this as <a>new information about
          the user's intent</a> for other <a>realms</a> with the <a>same
          origin</a>.

          <p class="note">
            This is intentionally vague about the details of the permission UI
            and how the UA infers user intent. UAs should be able to explore
            lots of UI within this framework.
          </p>
        </li>
      </ol>

      <p>
        As a shorthand, <a>prompting the user to choose</a> from options
        associated with a {{PermissionName}} |name|, is the same as <a>prompting
        the user to choose</a> from those options associated with a
        {{PermissionDescriptor}} with its {{PermissionDescriptor/name}} member
        set to |name|.
      </p>
    </div>
  </section>
  <section>
    <h3 id="reacting-to-revocation">Reacting to users revoking permission</h3>

    <p>
      When the UA learns that the user no longer intends to grant permission
      for a <a>realm</a> to use a <a>feature</a>, it must <a>queue a task</a>
      on the Realm's <a for="Realm">settings object</a>'s <a>responsible event
      loop</a> to run that feature's <a>permission revocation algorithm</a>.
    </p>
  </section>
</section>

<section>
  <h2 id="status-of-a-permission">
    Status of a permission
  </h2>
  <pre class='idl'>
    enum PermissionState {
      "granted",
      "denied",
      "prompt",
    };
  </pre>
  <p>
    The <dfn for="PermissionState" enum-value>"granted"</dfn> state represents
    that the caller will be able
    to successfuly access the feature without having the <a>user agent</a>
    asking the user's permission.
  </p>
  <p>
    The <dfn for="PermissionState" enum-value>"denied"</dfn> state represents
    that the caller will not be
    able to access the feature.
  </p>
  <p>
    The <dfn for="PermissionState" enum-value>"prompt"</dfn> state represents
    that the <a>user agent</a>
    will be asking the user's permission if the caller tries to access the
    feature. The user might grant, deny or dismiss the request.
  </p>
  <pre class='idl'>
    [Exposed=(Window,Worker)]
    interface PermissionStatus : EventTarget {
      readonly attribute PermissionState state;
      attribute EventHandler onchange;
    };
  </pre>
  <p>
    {{PermissionStatus}} instances are created with a <dfn
    for="PermissionStatus" attribute>\[[query]]</dfn> internal slot, which is an
    instance of a feature's <a>permission descriptor type</a>.
  </p>

  <p>
    To <dfn>create a PermissionStatus</dfn> for a given {{PermissionDescriptor}}
    |permissionDesc|, return a new instance of the <a>permission result
    type</a> for the feature named by <code>|permissionDesc|.{{name}}</code>,
    with the {{PermissionStatus/[[query]]}} internal slot initialized to
    |permissionDesc|.
  </p>
  <p>
    The <dfn for="PermissionStatus" attribute>state</dfn>
    attribute MUST return the latest value that was set on the current
    instance.
  </p>
  <p>
    The <dfn for="PermissionStatus" attribute>onchange</dfn> attribute is an
    <a>event handler</a> whose corresponding <a>event handler event
    type</a> is <code>change</code>.
  </p>
  <p id="PermissionStatus-update">
    Whenever the <a>user agent</a> is aware that the state of a
    {{PermissionStatus}} instance <var>status</var> has changed,
    it MUST asynchronously run the following steps:
  </p>
  <ol>
    <li>
      Run <code><var>status</var>@{{[[query]]}}.{{name}}</code>'s <a>permission
      query algorithm</a>, passing <code><var>status</var>@{{[[query]]}}</code>
      and <var>status</var>.
    </li>
    <li>
      <a>Queue a task</a> on the <dfn>permission task source</dfn> to
      <a>fire an event</a> named <code>change</code> at
      <var>status</var>.
    </li>
  </ol>
</section>
<section>
  <h2 id="navigator-and-workernavigator-extension">
    Navigator and WorkerNavigator extension
  </h2>
  <pre class='idl'>
    [Exposed=(Window)]
    partial interface Navigator {
      [SameObject] readonly attribute Permissions permissions;
    };
  </pre>
  <pre class='idl'>
    [Exposed=(Worker)]
    partial interface WorkerNavigator {
      [SameObject] readonly attribute Permissions permissions;
    };
  </pre>
</section>
<section>
  <h2 id="permissions-interface">
    Permissions interface
  </h2>
  <pre class='idl'>
    [Exposed=(Window,Worker)]
    interface Permissions {
      Promise&lt;PermissionStatus&gt; query(object permissionDesc);
    };
  </pre>
  <p>
    When the <dfn for='Permissions' method>query(permissionDesc)</dfn> method is
    invoked, the <a>user agent</a> MUST run the following <dfn export>query a
    permission</dfn> algorithm, passing the parameter
    <var>permissionDesc</var>:
  </p>
  <ol>
    <li>Let |rootDesc| be the object |permissionDesc| refers to, <a>converted to
    an IDL value</a> of type {{PermissionDescriptor}}. If this throws an
    exception, return <a>a promise rejected with</a> that exception and abort
    these steps.
    </li>
    <li>Let |typedDescriptor| be the object |permissionDesc| refers to,
    <a>converted to an IDL value</a> of
    <code>|rootDesc|.{{PermissionDescriptor/name}}</code>'s <a>permission
    descriptor type</a>. If this throws an exception, return <a>a promise
    rejected with</a> that exception and abort these steps.
    </li>
    <li>Let <var>promise</var> be a newly-created {{Promise}}.
    </li>
    <li>Return <var>promise</var> and continue the following steps
    asynchronously.
    </li>
    <li>Run the steps to <a>create a PermissionStatus</a> for |typedDescriptor|,
    and let <var>status</var> be the result.
    </li>
    <li>
      Run <code>|status|@{{[[query]]}}.{{name}}</code>'s <a>permission query
      algorithm</a>, passing <code>|status|@{{[[query]]}}</code> and |status|.
    </li>
    <li>Resolve <var>promise</var> with <var>status</var>.
    </li>
  </ol>
  <div class='note'>
    If a developer wants to check multiple permissions at once, the editors
    recommend the use of <code>{{Promise}}.all()</code>. An example can be
    found in the <a href='#examples'>Examples section</a>.
  </div>
</section>
<section>
  <h2 id="common-permission-algorithms">
    Common permission algorithms
  </h2>
  <p>
    The <dfn export>boolean permission query algorithm</dfn>, given a
    {{PermissionDescriptor}} <var>permissionDesc</var> and a
    {{PermissionStatus}} <var>status</var>, runs the following steps:
  </p>
  <ol class="algorithm">
    <li>
      Set <code><var>status</var>.state</code> to |permissionDesc|'s
      <a>permission state</a>.
    </li>
  </ol>
</section>
<section>
  <h2 id="permission-registry">
    Permission Registry
  </h2>
  <!-- IDL blocks can't link outside the current spec, but these enum-values are
       supposed to be defined in other specs. -->
  <pre highlight='idl' link-for="PermissionName">
    enum <dfn enum>PermissionName</dfn> {
      <a enum-value>"geolocation"</a>,
      <a enum-value>"notifications"</a>,
      <a enum-value>"push"</a>,
      <a enum-value>"midi"</a>,
      <a enum-value>"camera"</a>,
      <a enum-value>"microphone"</a>,
      <a enum-value>"speaker"</a>,
      <a enum-value>"device-info"</a>,
      <a enum-value>"background-fetch"</a>,
      <a enum-value>"background-sync"</a>,
      <a enum-value>"bluetooth"</a>,
      <a enum-value>"persistent-storage"</a>,
      <a enum-value>"ambient-light-sensor"</a>,
      <a enum-value>"accelerometer"</a>,
      <a enum-value>"gyroscope"</a>,
      <a enum-value>"magnetometer"</a>,
      <a enum-value>"clipboard"</a>,
      <a enum-value>"display-capture"</a>,
      <a enum-value>"nfc"</a>,
    };
  </pre>
  <p class="note">
  The enumeration values {{"accelerometer"}}, {{"gyroscope"}} and
  {{"magnetometer"}} are considered provisional and are subject to change
  based on feedback from early implementations. See
  <a href="https://github.com/w3c/sensors/issues/22">w3c/sensors#22</a> issue
  for more information.
  </p>
  <p>
    Each enumeration value in the {{PermissionName}} enum identifies a
    <a>powerful feature</a>. Each <a>powerful feature</a> has the following
    permission-related flags, algorithms, and types:
  </p>
  <dl>
    <dt>An <dfn export>allowed in non-secure contexts</dfn> flag</dt>
    <dd>
      By default, only <a>secure contexts</a> can use <a>powerful features</a>.
      If this flag is set for a feature, the UA may grant access to it in
      <a>non-secure contexts</a> too.
    </dd>

    <dt>
      A <dfn export>permission descriptor type</dfn>
    </dt>
    <dd>
      <p>
        {{PermissionDescriptor}} or one of its subtypes.
        If unspecified, this defaults to {{PermissionDescriptor}}.
      </p>
      <p>
        The feature can define a <a
        href="https://en.wikipedia.org/wiki/Partially_ordered_set">partial
        order</a> on descriptor instances. If |descriptorA| is <dfn
        for="PermissionDescriptor">stronger than</dfn> |descriptorB|, then if
        |descriptorA|'s <a>permission state</a> is {{"granted"}},
        |descriptorB|'s <a>permission state</a> must also be {{"granted"}}, and
        if |descriptorB|'s <a>permission state</a> is {{"denied"}},
        |descriptorA|'s <a>permission state</a> must also be {{"denied"}}.
      </p>
      <p class="example" id="example-stronger-than">
        <code>{name: {{"midi"}}, sysex: true}</code> ("midi-with-sysex") is
        <a>stronger than</a> <code>{name: {{"midi"}}, sysex: false}</code>
        ("midi-without-sysex"), so if the user denies access to
        midi-without-sysex, the UA must also deny access to midi-with-sysex, and
        similarly if the user grants access to midi-with-sysex, the UA must also
        grant access to midi-without-sysex.
      </p>
    </dd>

    <dt>Optional <dfn export>permission state constraints</dfn></dt>
    <dd>
      Constraints on the values that the UA can return as a descriptor's
      <a>permission state</a>. Defaults to no constraints beyond the user's
      intent.
    </dd>

    <dt>
      An optional <dfn export>extra permission data type</dfn>
    </dt>
    <dd>
      If specified, the <a>extra permission data</a> algorithm is usable for
      this feature.
    </dd>

    <dt>Optional <dfn export>extra permission data constraints</dfn></dt>
    <dd>
      Constraints on the values that the UA can return as a {{PermissionName}}'s
      <a>extra permission data</a>. Defaults to no constraints beyond the user's
      intent.
    </dd>

    <dt>
      A <dfn export>permission result type</dfn>
    </dt>
    <dd>
      {{PermissionStatus}} or one of its subtypes.
      If unspecified, this defaults to {{PermissionStatus}}.
    </dd>
    <dt>
      A <dfn export>permission query algorithm</dfn>
    </dt>
    <dd>
      Takes an instance of the <a>permission descriptor type</a> and a new or
      existing instance of the <a>permission result type</a>, and updates the
      <a>permission result type</a> instance with the query result. Used by
      {{Permissions}}' {{Permissions/query(permissionDesc)}} method and the <a
      href="#PermissionStatus-update">PermissionStatus update steps</a>. If
      unspecified, this defaults to the <a>boolean permission query
      algorithm</a>.
    </dd>
    <dt>
      A <dfn export>permission revocation algorithm</dfn>
    </dt>
    <dd>
      Takes no arguments. Updates any other parts of the implementation that
      need to be kept in sync with changes in the results of <a>permission
      states</a> or <a>extra permission data</a>. Run by [[#reacting-to-revocation]].
      If unspecified, this defaults to doing nothing.
    </dd>
  </dl>
  <p>
    A <dfn export>boolean feature</dfn> is a <a>powerful feature</a> with all
    of the above types and algorithms defaulted.
  </p>
  <section>
    <h3 id="geolocation">
      Geolocation
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"geolocation"</dfn>
      permission is the permission associated with the usage of the
      [[geolocation-API]]. It is a <a>boolean feature</a> and is <a>allowed in
      non-secure contexts</a>.
    </p>
  </section>
  <section>
    <h3 id="notifications">
      Notifications
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"notifications"</dfn>
      permission is the permission associated with the usage of the
      [[notifications]] API. It is a <a>boolean feature</a> and is <a>allowed in
      non-secure contexts</a>.
    </p>
  </section>
  <section>
    <h3 id="push">
      Push
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"push"</dfn>
      permission is the permission associated with the usage of the
      [[push-api]].
    </p>
    <dl>
      <dt>
        <a>permission descriptor type</a>
      </dt>
      <dd>
        <pre class='idl'>
          dictionary PushPermissionDescriptor : PermissionDescriptor {
            boolean userVisibleOnly = false;
          };
        </pre>
        <p>
          `{name: "push", userVisibleOnly: false}` is <a>stronger than</a>
          `{name: "push", userVisibleOnly: true}`.
        </p>
      </dd>
    </dl>
  </section>
  <section>
    <h3 id="midi">
      Midi
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"midi"</dfn>
      permission is the permission associated with the usage of
      [[webmidi]]. {{"midi"}} is <a>allowed in non-secure contexts</a>.
    </p>
    <dl>
      <dt>
        <a>permission descriptor type</a>
      </dt>
      <dd>
        <pre class='idl'>
          dictionary MidiPermissionDescriptor : PermissionDescriptor {
            boolean sysex = false;
          };
        </pre>
        <p>
          `{name: "midi", sysex: true}` is <a>stronger than</a> `{name: "midi",
          sysex: false}`.
        </p>
      </dd>
    </dl>
  </section>
  <section>
    <h3 id="media-devices">
      Media Devices
    </h3>
    <p dfn-for="PermissionName" dfn-type="enum-value">
      The <dfn>"camera"</dfn>, <dfn>"microphone"</dfn> , and
      <dfn>"speaker"</dfn>
      permissions are associated with permission to use media devices as
      specified in [[GETUSERMEDIA]] and [[audio-output]]. {{"speaker"}} is
      <a>allowed in non-secure contexts</a>. {{"camera"}} and {{"microphone"}}
      MAY be <a>allowed in non-secure contexts</a>.
    </p>
    <dl>
      <dt>
        <a>permission descriptor type</a>
      </dt>
      <dd>
        <pre class='idl'>
          dictionary DevicePermissionDescriptor : PermissionDescriptor {
            DOMString deviceId;
          };
        </pre>
        <p>
          A permission covers access to the device given in the associated
          descriptor.
        </p>
        <p>
          If the descriptor does not have a
          {{DevicePermissionDescriptor/deviceId}}, its semantic is that it
          queries for access to all devices of that class. Thus, if a query for
          the {{"camera"}} permission with no
          {{DevicePermissionDescriptor/deviceId}} returns {{"granted"}}, the
          client knows that there will never be a permission prompt for a
          camera, and if {{"denied"}} is returned, it knows that no getUserMedia
          request for a camera will succeed.
        </p>
        <p>
          If a permission state is present for access to some, but not all,
          cameras, a query without the {{DevicePermissionDescriptor/deviceId}}
          will return {{"prompt"}}.
        </p>
        <p>
          Note that a "granted" permission is no guarantee that getUserMedia
          will succeed. It only guarantees that the user will not be
          prompted for permission. There are many other things (such as
          constraints or the camera being in use) that can cause getUserMedia
          to fail.
        </p>
      </dd>
      <dt>
        <a>extra permission data type</a>
      </dt>
      <dd>
        A list of {{MediaDeviceInfo/deviceId}} values for the devices the user
        has made a non-default decision on access to.
      </dd>
      <dt>
        <a>permission query algorithm</a>
      </dt>
      <dd>
        The permission query algorithm runs the following steps:
        <ol class="algorithm">
        <li>
        If |permissionDesc|.deviceId exists in the <a>extra permission data</a>,
        set <code><var>status</var>.state</code>
        to |permissionDesc|'s <a>permission state</a> and terminate these
        steps.
        </li>
        <li>Let <var>global</var> be a copy of |permissionDesc| with the
        {{DevicePermissionDescriptor/deviceId}} member removed.
        </li>
        <li>
        Set <code><var>status</var>.state</code> to <var>global</var>'s
        <a>permission state</a>.
        </li>
      </dd>
      <dt>
        <a>permission request algorithm</a>
      </dt>
      <dd>
        The permission request algorithm runs the following steps:
        <ol class="algorithm">
        <li>
        Let <var>result</var> be the result of running the <a>boolean permission
        request algorithm</a>.
        </li>
        <li>If <var>result</var> is {{"granted"}}, the UA MUST set the
        {{"device-info"}} permission to {{"granted"}} for this <a>realm</a>.
        </li>
        <li>The UA MAY treat <var>result</var> as <a>new information about the
        user's intent</a> with respect to the {{"device-info"}} permission for
        this <a>realm</a> and other <a>realms</a> with the <a>same origin</a>,
        provided it doesn't violate the previous step.
        </li>
        <li>Return <var>result</var>.
        </li>
      </dd>
      <dt>
        <a>permission revocation algorithm</a>
      </dt>
      <dd>
        When permission for a device is revoked, the UA MUST run the
        algorithm to stop the track for any other reason than the stop()
        method being invoked for each MediaStreamTrack sourced from that
        device. <!--TODO make a link target in the spec -->
      </dd>
    </dl>
    <p>
      The <dfn for="PermissionName" enum-value>"device-info"</dfn>
      permission controls access to the name and capabilities associated with a
      {{MediaDeviceInfo/deviceId}}, as well as whether
      {{MediaDevices/devicechange}} events fire when the current browsing
      context is not in focus. The {{"device-info"}} permission MUST be revoked
      when {{MediaDeviceInfo/deviceId}}s for an origin are reset.
    </p>
  </section>
  <section>
    <h3 id="background-fetch">
      Background Fetch
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"background-fetch"</dfn>
      permission is the permission associated with the usage of
      [[background-fetch]].
    </p>
  </section>
  <section>
    <h3 id="background-sync">
      Background Sync
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"background-sync"</dfn>
      permission is the permission associated with the usage of
      [[web-background-sync]].
    </p>
  </section>
  <section>
    <h3 id="ambient-light-sensor">
      Ambient Light Sensor
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"ambient-light-sensor"</dfn>
      permission is the permission associated with the usage of the
      [[ambient-light]] API.

      Its <a>permission revocation algorithm</a> is the result of calling
      <a>generic sensor permission revocation algorithm</a>
      passing it <a enum-value>"ambient-light-sensor"</a> as argument.
    </p>
  </section>
  <section>
    <h3 id="accelerometer">
      Accelerometer
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"accelerometer"</dfn>
      permission is the permission associated with the usage of the
      [[accelerometer]] API.

      Its <a>permission revocation algorithm</a> is the result of calling
      <a>generic sensor permission revocation algorithm</a>
      passing it <a enum-value>"accelerometer"</a> as argument.
    </p>
  </section>
  <section>
    <h3 id="gyroscope">
      Gyroscope
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"gyroscope"</dfn>
      permission is the permission associated with the usage of the
      [[gyroscope]] API.

      Its <a>permission revocation algorithm</a> is the result of calling
      <a>generic sensor permission revocation algorithm</a>
      passing it <a enum-value>"gyroscope"</a> as argument.
    </p>
  </section>
  <section>
    <h3 id="magnetometer">
      Magnetometer
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"magnetometer"</dfn>
      permission is the permission associated with the usage of the
      [[magnetometer]] API.

      Its <a>permission revocation algorithm</a> is the result of calling
      <a>generic sensor permission revocation algorithm</a>
      passing it <a enum-value>"magnetometer"</a> as argument.
    </p>
  </section>
  <section>
    <h3 id="clipboard">
      Clipboard
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"clipboard"</dfn>
      permission is the permission associated with the usage of the
      asynchronous methods in the [[clipboard-apis]].
    </p>
  </section>
  <section>
    <h3 id="screen-capture">
      Screen Capture
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"display-capture"</dfn>
      permission is the permission associated with the usage of
      [[screen-capture]].
    </p>
    <dl>
      <dt>
        <a>permission state constraints</a>
      </dt>
      <dd>
        Valid values for this descriptor's <a>permission state</a> are
        {{"prompt"}} and {{"denied"}}. The user agent MUST NOT ever set this
        descriptor's <a>permission state</a> to {{"granted"}}.
      </dd>
    </dl>
  </section>
  <section>
    <h3 id="nfc">
      NFC
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"nfc"</dfn>
      permission is the permission associated with the usage of the
      [[web-nfc]] API.
    </p>
  </section>
</section>
<section>
  <h2 id="automation">
    Automation
  </h2>
  <p>
    For the purposes of user-agent automation and application testing, this
    document defines the following <a>extension command</a> for the
    [[WebDriver]] specification.
  </p>

  <pre class='idl'>
    dictionary PermissionSetParameters {
      required PermissionDescriptor descriptor;
      required PermissionState state;
      boolean oneRealm = false;
    };
  </pre>

  <section>
    <h3 id="set-permission-command">
      Set Permission
    </h3>
    <table>
      <tbody>
        <tr>
          <th>HTTP Method</th>
          <th><a lt="extension command URI template">URI Template</a></th>
        </tr>
        <tr>
          <td>POST</td>
          <td>/session/{session id}/permissions</td>
        </tr>
      </tbody>
    </table>
    <p>The <dfn>Set Permission</dfn> <a>extension command</a> simulates user
    modification of a {{PermissionDescriptor}}'s <a>permission state</a>.</p>
    <p>The <a>remote end steps</a> are:</p>
    <ol>
      <li>Let |parameters| be the |parameters| argument, <a>converted to an IDL
        value</a> of type {{PermissionSetParameters}}. If this throws an
        exception, return a <a>WebDriver error</a> with <a>WebDriver error
        code</a> <a>invalid argument</a>.
      <li>Let |rootDesc| be
        |parameters|.{{PermissionSetParameters/descriptor}}.</li>
      <li>Let |typedDescriptor| be the object |rootDesc| refers to,
        <a>converted to an IDL value</a> of
        <code>|rootDesc|.{{PermissionDescriptor/name}}</code>'s <a>permission
        descriptor type</a>. If this throws an exception, return a <a>WebDriver
        error</a> with <a>WebDriver error code</a> <a>invalid
        argument</a>.</li>
      <li>If |parameters|.{{PermissionSetParameters/state}} is an inappropriate
        <a>permission state</a> for any implementation-defined reason, return a
        <a>WebDriver error</a> with <a>WebDriver error code</a> <a>invalid
        argument</a>.
        <p class="note">
          For example, <a>user agents</a> that define the {{"midi"}}
          <a>feature</a> as "always on" may choose to reject command
          to set the <a>permission state</a> to {{"denied"}} at this step.
        </p>
      </li>
      <li>Let |settings| be the <a>environment settings object</a> of the
        <a>current browsing context</a>'s <a>active document</a>.</li>
      <li>If |settings| is a <a>non-secure context</a> and
        <code>|rootDesc|.{{PermissionDescriptor/name}}</code> isn't <a>allowed
        in non-secure contexts</a>, return a <a>WebDriver error</a> with
        <a>WebDriver error code</a> <a>invalid argument</a>.</li>
      <li>If |parameters|.{{PermissionSetParameters/oneRealm}} is true, let
        |targets| be a <a>list</a> whose sole member is |settings|.</li>
      <li>Otherwise, let |targets| be a <a>list</a> containing all
        <a>environment settings objects</a> whose [=environment settings
        object/origin=] is the <a lt="same origin">same</a> as the
        [=environment settings object/origin=] of |settings|.</li>
      </li>
      <li>Let |tasks| be an empty <a>list</a>.
      <li>
        For each <a>environment settings object</a> |target| in |targets|:
        <ol>
          <li><a>Queue a task</a> |task| on the <a>permission task source</a>
            of |target|'s [=environment settings object/responsible browsing
            context=] to perform the following step:</li>
            <ol>
            <li>Interpret |parameters|.{{PermissionSetParameters/state}} as if
              it were the result of an invocation of <a>permission state</a>
              for |typedDescriptor| with the argument |target| made at this
              moment.</li>
            </ol>
          </li>
          <li><a>Append</a> |task| to |tasks|.</li>
        </ol>
      </li>
      <li>Wait for all <a>tasks</a> in |tasks| to have executed.</li>
      <li>Return <a>success</a> with data `null`.</li>
    </ol>
    <div class="example">
      To set permission for <code>{name: {{"midi"}}, sysex: true}</code> of the
      <a>current browsing context</a> of the <a>session</a> with ID 23 to
      "`granted`", the <a>local end</a> would POST to `/session/23/permissions`
      with the body:

      <pre class="lang-json">
      {
        "descriptor": {
          "name": "midi",
          "sysex": true
        },
        "state": "granted"
      }
      </pre>
    </div>
  </section>
</section>
<section class='non-normative'>
  <h2 id="examples">
    Examples
  </h2>
  <div class="example" id="example-geolocation">
  <p>
    This example uses the Permissions API to decide whether local news
    should be shown using the Geolocation API or with a button offering to
    add the feature.
  </p>
  <pre class='highlight'>
    navigator.permissions.query({ name: "geolocation" }).then(({ state }) => {
      switch (state) {
        case "granted":
          showLocalNewsWithGeolocation();
          break;
        case "prompt":
          showButtonToEnableLocalNews();
          break;
        default:
          // Don't do anything if the permission was denied.
          break;
      }
    });
  </pre>
  </div>
  <div class="example" id="example-notifications">
  <p>
    This example is using the {{"notifications"}} permission for a
    chat application to show a notification button depending on the
    permission state.
  </p>
  <pre class='highlight'>
    function updateNotificationButton(state) {
      document.getElementById('chat-notification-button')
        .disabled = (state === 'denied');
    }

    navigator.permissions.query({ name: 'notifications' }).then((result) => {
      updateNotificationButton(result.state);
      result.addEventListener('change', () => {
        updateNotificationButton(result.state);
      });
    });
  </pre>
  </div>
  <div class="example" id="example-two-permissions">
  <p>
    This example is checking whether the page has the
    {{"geolocation"}} and the {{"notifications"}} permissions
    using <code>{{Promise}}.all</code>.
  </p>
  <pre class='highlight'>
    Promise.all([
      navigator.permissions.query({ name: "geolocation" }),
      navigator.permissions.query({ name: "notifications" })
    ])
    .then(([{ state: geoState }, { state: notifState }]) => {
      console.log("Geolocation permission state is:", geoState);
      console.log("Notifications permission state is:", notifState);
    });
  </pre>
  </div>
  <div class="example" id="example-deviceId">
  <p>
    This example is checking the permission state of the available cameras.
  </p>
  <pre class='highlight'>
    navigator.mediaDevices
      .enumerateDevices()
      .then(devices => {
        return Promise.all(devices
          // filter on video inputs
          .filter(({ kind }) => kind === "videoinput")
          // map to query object
          .map(({ deviceId }) => ({ name: "camera", deviceId }))
          // map to query promise
          .map(queryObj => navigator.permissions.query(queryObj))
        );
      })
      // log the state or each camera
      .then(results => results.forEach(
        ({ state }, i) => console.log(`Camera ${i}: "${state}"`)
      ))
      .catch(
        err => console.error(err.stack)
      );
  </pre>
  </div>
</section>
<section class='non-normative'>
  <h2 id="acknowledgments" class="no-num">
    Acknowledgments
  </h2>
  <p>
    The editors would like to thank Adrienne Porter Felt, Anne van
    Kesteren, Domenic Denicola, Jake Archibald and Wendy Seltzer for their
    help with the API design and editorial work.
  </p>
</section>
